Juha Saarinen: Filesharing made invisible

Carna Botnet client distribution from March to December 2012. Photo / Supplied

The Carna botnet is quite some story: by accident, a self-confessed researcher discovers hundreds of thousands of open and unprotected devices - residential broadband routers - and proceeds to use them to survey the entire Internet.

For the technically minded, he did this by planting a small 250kbyte program on the open devices and remotely controlled it to scan as many addresses as possible and collected the responses (if any). The reason that was possible is because your broadband router is in fact a low-power computer, often running the Linux operating system. These devices usually come with a simple username and password combination that gives full access to the router. Enter it remotely and you control that box which has now become a bot in IT security jargon.

Here's the thing though: the researcher found 420,000 open devices to use for his distributed scanning botnet. In other words, open devices are incredibly common. Luckily for those whose devices were used for the Internet survey, the researcher didn't have any malicious intent per se. What he did was most likely illegal in many countries, but it's also really hard to detect.

Not many people log onto their routers to check what's going on because why would you? You configure them once or twice and that's really it. They just sit there, perhaps open, perhaps secured. It's not users' fault that the routers are wide-open because they were designed that way by manufacturers who should have known better. This is a huge scandal that consumer protection agencies should look into, in fact.

Techie people have known about open routers for ages. A source who used to work in the Internet field here told me that it was common at a provider - that shall remain unnamed - for people to use the same technique when they had hit the data caps on their own accounts. In other words, they were using bandwidth other people were paying for, unnoticed.

Being able to hijack someone else's router like this is of course tempting for criminals. Apart from routing their traffic via the device they can snoop on your data and capture login details for your Internet banking. This is what happened in Brazil last year, where millions of DSL modems were hijacked.

In the same way, it is also possible to use the open devices to torrent copyrighted material. Beyond perhaps wondering why so much more bandwidth was used, the victim will be none the wiser as the illicitly obtained material won't go on to her or his computer. Unless the victim logs on to the router and finds the program that's passing traffic to and from the open device it will seem like a total mystery. The Internet provider won't be able to see anything amiss either.

Better yet for the miscreant the torrents will be tracked to the account of the person with the open router. As we know, in New Zealand you are deemed guilty upon accusation and after three warnings, liable to be fined by the Copyright Tribunal (for music downloads at least). That is the law of the land and it is very hard to prove that you didn't download the material - in fact, I can't think of any other way apart from showing your innocence than demonstrating the router was switched off at the time of the crime.

Even then you'd probably struggle as it isn't guaranteed that whoever is adjudicating the case understands the finer points of internet working.

I'm not suggesting you do it, but it is not just possible but easy to share copyrighted material without being noticed and having someone else take the blame for it.

Sadly, the political parties in New Zealand have such feeble grasp of technology basics that they're not going to stop innocent people from falling into traps like the above.

With laws like the New Zealand anti-filesharing one around it's vital that you secure your router - or ask your ISP to do it.

It could mean installing updated firmware, turning off remote access and also changing the default password (it's "admin" more often than not).

If you don't, you could be next in line at the Copyright Tribunal, or worse.

Juha Saarinen is a technology journalist and writer living in Auckland. Apart from contributing to the New Zealand Herald over the years, he has written for the Guardian, Wired, PC World, Computerworld and ITnews Australia, covering networking, hardware, software, enterprise IT as well as the business and social aspects of computing. A firm believer in the principle that trying stuff out makes you understand things better, he spends way too much time wondering why things just don’t work.